The plugin does not interact with any other tables. (Technically it does save settings to wp_options like all plugins but it does this thru a WP API, not the DB directly).
A security compromise could conceivably allow an attacker to read or maybe delete from this plugin’s own table of submissions but not any other table. There just isn’t any code in the pluggin dealing with any other table.
Michael,
As I have not used your plugin directly I would potentially beg to differ with you. Explicitly stating that it does not deal with other tables can still present security concerns. Albeit most likely little.
Take a look at the SQL injection cheatsheet, in particular this section:
Union Injections
With union you do SQL queries cross-table. Basically you can poison query to return records from another table.
SELECT header, txt FROM news UNION ALL SELECT name, pass FROM members
This will combine results from both news table and members table and return all of them.
There are a lot of methods for sql based attacks out there, with new ones coming out all the time. Nothing is 100% secure.
To m-Aurelius,
No one can address any and all potential security threats. Even if this plugins were perfectly secure, there would be no guarantee that the next one you install will be.
Security is a combination of factors such as a routine backup procedures, timely plugin updates and actively participating in your own WordPress blog security when you implement the security plugins you choose.
Fair enough. Prepared statements are used to protect against SQL injection.
